[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wss] Current user-name password construction requires plain textpassw ord at server
> good point. let's call the inner hash the shared secret. > given that are we assuming that the authentication interfaces > provide access to the shared secret for the purpose of computing > and thus verifying the keyed mac? This is a good point I had forgotten. The use of a keyed MAC presumes a shared secret. What I have seen in various LDAP products is that there is a password attribute which is part of the standard schema. It is intended for authentication of access to LDAP, but many organizations use it for authentication to other systems, such as web servers. Some products store the clear password, most store a hash, but different algorithms are used. Some provide a choice of clear or one or more hash schemes. A few products do not permit any value to be retrieved, even by a privileged user. They only thingthey will do is check if a presented password is correct and log the user into LDAP. In general, environments that only permit checking and not retrieval will be unable to use a hashed MAC. I don't really see what the WSS TC can do about this, as a keyed MAC is an attractively efficient alternative to a PK signature. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC